Typically, when a new password manager, antivirus, or other security tool comes on the market, the company contacts me, requesting a review.
That wasn't the case with Bitwarden.
Rather, fans of this free password manager contacted me to tell me why they think this free, open-source tool is excellent.
After putting it through its paces, I have to agree.
Bitwarden is totally free, with no limit on number of devices used or passwords stored.
Ponying up $10 per year for Bitwarden Premium simply gets you additional features, advanced features that will be worth the nominal price to some users.
LastPass uses a similar model, having a free version with no limits and a premium version that adds advanced features, though LastPass Premium costs a bit more, at $36 per year.
No matter what device you use, Bitwarden has you covered.
It offers native apps for Windows, macOS, Linux, Android, and iOS.
Its browser extension supports the expected Chrome, Edge, Firefox, Opera, and Safari, as well as the less-common Vivaldi, Brave, and Tor Browser.
I did learn the hard way that the Edge extension is currently not working quite right—my company contact urged me to use any other browser for testing.
Getting Started With Bitwarden
As with most password managers, you start by setting up an account.
Enter your email, create a strong master password, and you're done.
Bitwarden does rate that master password weak, good, or strong as you type it, and it doesn't just look for a minimum length and use of different character sets.
I found that it zinged simple-minded patterns as well.
For example, the password 123Abc!123Abc!123Abc! is 21 characters long and uses all four character types, but Bitwarden still rates it as weak.
Next, you download the app for your current device and log in.
If it's a desktop device, you'll also need to install the extension on all the browsers you use.
For a mobile device, I suggest you enable fingerprint authentication.
If you're switching from another password manager, Bitwarden can help, but you won't find the import feature in the program's menu.
Rather, you must launch the online portal by clicking Help and then Go To Web Vault.
From the online portal's menu, you can import passwords exported from Dashlane, Keeper, RoboForm, or more than 30 other password managers.
You can also import passwords stored in your browsers.
Dashlane, True Key, and a very few others attempt to delete passwords stored insecurely in the browser and turn off the browser's password capture.
Bitwarden doesn't attempt that feat, so be sure to take care of those tasks yourself.
Password Capture and Replay
I tested Bitwarden mostly on a Windows 10 machine.
As noted, the Edge extension wasn't working right, so I used Chrome.
To start, I simply logged in to 10 or so websites.
In almost every case, Bitwarden slid in a banner at the top of the page offering to save my credentials.
It handled some, but not all, of the two-page logins I tried.
For example, it captured Yahoo just fine, but couldn't get EventBrite.
I'm not sure why, but EventBrite has been a problem for other products as well.
I verified that Bitwarden captures credentials during account creation, and that it handles password change events.
When I tried a nonstandard login page, the capture system didn't kick in.
Some password managers, among them Keeper, Password Boss, and Sticky Password handle oddball pages by letting you fill in all fields and then capture everything on demand.
My company contact confirmed Bitwarden doesn't do this, but pointed out that a tech-savvy user could solve the problem using the custom fields feature.
Some password managers immediately fill in your credentials when you revisit a site.
Others put an icon in the username field and fill credentials only after you click, which avoids some possible security risks.
Bitwarden takes a different path.
If it has credentials saved for the site you've visited, it overlays the number of entries on its toolbar button.
Click the button, click the desired entry, and it fills the data.
It's not quite as automated as most, but it works, and it doesn't matter how many sets of credentials you have for a given site.
You can also view your entire password collection by clicking the toolbar button and opening your vault.
From here, you can easily search to find the desired item and launch it in the browser.
Password Organization
The Bitwarden app and its online vault look very much alike, but as you've already seen there are differences.
To import data, you must use the vault.
To edit saved passwords, you must use the app.
And you probably will want to do some editing.
MyKi, Norton, Enpass Password Manager, and many others let you give each entry a friendly, memorable name at the time of capture.
With Bitwarden, capture is simpler, since you just click a button, but adding a friendly name required going into the editor.
You might, for example, take two entries with the default name "login.yahoo.com" and rename them to Personal Email and Work Email.
You can also organize your saved logins into folders.
LastPass and LogMeOnce Password Management Suite Premium are among the products that let you do this at capture time.
If you want to organize your Bitwarden logins, it's a little more work.
You must create the folders you want first, and then edit each item to put it in the desired folder.
Some products take the folder concept a step beyond.
With LastPass, Sticky Password Premium, RoboForm, and a few others, your nested folders become nested submenus attached to the browser toolbar button.
Bitwarden doesn't go that route, which is fine.
Password Generator
So, you managed to get all your passwords safely stored in Bitwarden's vault? That's half the job.
The other half involves replacing any weak or duplicate passwords with strong, unique passwords.
You'll have to scout out the bad ones yourself; Bitwarden does include analysis tools to find passwords that need changing, but it reserves that feature for paying customers.
The only one of the several reports available at the free level is one that checks the HaveIBeenPwned site to see if your email got caught up in a data breach.
When you do find a password that you've used multiple times, or a weak one like "123456," you don't have to think up the replacement yourself.
Like almost every competing product, Bitwarden includes a random password generator to help you.
By default, the password generator creates passwords containing capital letters, small letters, and digits, but no special characters (punctuation).
It avoids ambiguous characters like the digit 1 and small letter l.
And it forces at least one digit and (if included) one special character.
I strongly advise checking the box to add punctuation.
The generator can crank out passwords from five to 128 characters long, but it defaults to 14 characters.
I advise cranking it up to 16 characters, or even 20.
For some reason, the default length in the iOS edition is 10 character, which is definitely too short.
On Android, Bitwarden defaults to 15 characters, and on both mobile platforms it uses all character sets by default.
By contrast, Myki Password Manager & Authenticator defaults to passwords of more than 30 characters, as does Enpass.
Since you don't have to remember the saved passwords, might as well make them long.
Bitwarden can also generate multi-word passphrases of the Correct-Horse-Battery-Staple type.
There's no point in using this feature for a password managed by Bitwarden, but you might consider using it to create a memorable master password like "many-putt-diminish-sturdy."
Security Features
Just about every password manager logs you out after a set period of inactivity.
You can set Bitwarden to log out after anywhere from one minute to four hours.
You can also set it to lock when the system goes to sleep.
Two-factor authentication, or 2FA, significantly enhances the security of your stored passwords.
Without some form of 2FA, anybody who guesses, steals, or hacks your password can get into the vault, no matter where in the world they are.
With 2FA enabled, access also requires another factor, something only you can provide.
Bitwarden's free edition supports 2FA via Google Authenticator or a workalike such as Duo Mobile.
Most two-factor systems require you to set up some kind of backup, such as a mobile number that can receive an unlock code via text.
When you go to enable 2FA in Bitwarden, it offers an unlock code and strongly advises you to store it in a safe place.
Snap the QR code with your authenticator app and you're ready to go.
There's also an option to receive 2FA codes via email, but using the app is a much smoother experience.
Users of Bitwarden's premium edition get more 2FA options.
They can set up authentication using a Yubikey, or any FIDO U2F compatible security key.
[embed]https://www.youtube.com/watch?v=AMOtB7XkTT4[/embed]
Filling Personal Data
It's just a short step from filling username and password fields to filling other personal data in web forms.
Like LogMeOnce, Symantec Norton Password Manager, and many others, Bitwarden can store multiple sets of personal data and use them to help you when it's time to fill out a form.
Bitwarden stores two kinds of personal data items, Cards and Identities.
For each credit card you record details like the number, cardholder name, and CCV.
It doesn't let you snap the card with a smartphone camera the way Dashlane($59.99 at Dashlane) and a few others do, but filling in the data here means you don't have to fill it in elsewhere.
Each identity saves a simple collection of personal data, including name details, snail-mail address, email, and phone number.
It's not nearly the huge cornucopia of data stored by RoboForm Everywhere, and you can't have multiple instances of a field the way you can with Dashlane and a few others.
You don't even get separate lines for home, work, and mobile phone.
Even so, every field that Bitwarden fills is one you don't have to type.
If you want Bitwarden to fill the form you're staring at, just click its button and click the desired identity or credit card.
I tried a few sites as a simple sanity check and found that it mostly did the job, though it missed a few fields.
Organizations and Sharing
I always advise against sharing your passwords with just anyone, but sometimes you really must.
When you do have to share, you want the process to be both simple and secure.
Bitwarden handles this feature rather differently than most, but it's quite thorough and effective.
In Bitwarden's world, you don't share with other users, not directly.
You create an organization, invite other users, and then share with the organization.
Creating an organization is free, but the free level only allows you to share with one other person.
Paid sharing plans give you more choices, at a cost over and above the basic subscription price.
Within an organization, shared items fall into collections, which are like shared folders in products such as LastPass and Keeper Password Manager & Digital Vault(Get 40% Off Keeper Unlimited and Keeper Family! at Keeper Security).
Free users get just two collections; those paying cash have no limit.
The point is to let you share different passwords with different members of the group.
When the group has just two members, that's not a big concern.
As with WWPass PassHub, setting up sharing involves a multistep handshake.
You invite a recipient, the recipient accepts, and then you confirm the share.
As a double-check against hacking, you can use a phone call or text to confirm what Bitwarden calls a fingerprint phrase, unique to each installation.
As the creator of the organization, you are the all-powerful Owner.
There are three other levels of access, Admin, Manager, and User, but the distinctions really matter more to business installations.
In addition, you can limit each user to specific collections, or make the share read-only.
If you're sharing with a partner, it makes sense to give full Owner access.
If the share is more one-sided, perhaps with your child, User access in read-only mode is probably best.
Don't worry about the other levels.
A few competing products, among them LastPass, LogMeOnce, and Dashlane, let you set up a different kind of sharing.
With these products you designate an heir to receive some or all of your passwords in the event of your untimely demise.
Bitwarden doesn't offer this digital legacy feature at present, but it's on the roadmap.
Other Platforms
As noted, you can use Bitwarden on any device with a supported browser.
Bitwarden in Safari on a Mac works exactly like Bitwarden in Chrome on a PC.
For that matter, the native Bitwarden program is as identical as possible across the Windows / macOS divide.
Naturally, the web-based portal is truly identical regardless of platform.
More differences manifest in the mobile editions.
Bitwarden's Android edition has just gotten an update that brings it in line with the Windows edition feature-wise.
That same update is in the works for iOS, but until it hits, the iOS edition has limits.
There's no full list of items, for example—you have to open the search window to see everything.
Bitwarden does support biometric authentication on both mobile platforms, and includes the ability to autofill your credentials.
What's Not Here
As noted, Bitwarden doesn't yet have the digital legacy feature that's becoming more popular.
Overall, though, it brings a broad feature set to the table.
Most of the sought-after features it lacks become available in Bitwarden Premium.
Upgrading to premium gets you the ability to authenticate with a YubiKey or FIDO U2F Security key.
It also lets you attach files to items, making them available across all your devices.
There's a cap of 1GB total storage, so you won't be storing anything huge.
Paying customers get access to several reports aimed at helping you fix password problems.
In addition to the expected reports on weak and duplicate passwords, Bitwarden Premium can reveal passwords exposed in data breaches, websites in your list that don't use HTTPS, and sites where you're failing to use available two-factor authentication.
But even at the premium level, Bitwarden doesn't offer the full-scale actionable password report and automated password updates that you get with LastPass, LogMeOnce, and Dashlane.
One popular technique for two-factor authentication relies on Google Authenticator or work-alike apps that generate...
